Hi,
Sorry for me answering in this direct manner instead of via the OAUTH mailing list or so. I would like to point a practical issue out wrt the HTTP signature spec. I have got practical experience with the spec through my work for ING in our PSD2 (European electronic banking scheme) platform. We have implemented this spec (cavage-10) in our platform as well. We experience lots of issues with 3rd party developers who have issues getting their code right. It is the canalisation that is troubling the adoption in practice. People are continuously making mistakes with setting up the payload for signatures / body digest. This can only be solved by making available ready made libraries. That might be done through vendors and their solutions and one would encounter probably less interoperability issues. However until then still troubles is what people have with this spec. Apart form that, the spec is very much draft and as I understood from one of the draft members and still not security tested ands so perhaps still not secure. Before one can adopt another spec into, in this case OAuth 2.0 it would be wise to tackle this first. While HTTP signing does help in better authenticating and safeguarding messages/token requests, this will make key management even more important. The risk that HTTP signing in OAUTH might mitigate, could very well be far easier solved by TLS 1.2 or 1.3. That is even better because the implementations are security tested (TLS 1.2 or depending on the supplier/implementer in the process of (TLS 1.3) due to their importance and can be implemented in a turn key manner. These are I believe important attention points that one might think over before extending the OAUTH 2.0 spec even further with perhaps too little gain? Best regards, Rob Cordes Feature Engineer / InfoSec specialist @ ING bank > On 20 Jan 2020, at 18:33, Richard Backman, Annabelle > <richanna=40amazon....@dmarc.ietf.org> wrote: > > I would like to discuss HTTP Message Signatures > <https://tools.ietf.org/html/draft-richanna-http-message-signatures-00> as a > proof-of-possession mechanism for OAuth. A draft will be available (either as > an update to draft-ietf-oauth-signed-http-request or as a new individual > submission). > > – > Annabelle Richard Backman > AWS Identity > > > From: OAuth <oauth-boun...@ietf.org> on behalf of Rifaat Shekh-Yusef > <rifaat.i...@gmail.com> > Date: Monday, January 20, 2020 at 7:34 AM > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] OAuth Topics for Vancouver > > All, > > Please, let us know if you have any topics that you would like to present and > discuss in Vancouver. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
